| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After the oe-core commit 26d97acc7137 ("image-artifact-names: include
${IMAGE_NAME_SUFFIX} directly in both ${IMAGE_NAME} and
${IMAGE_LINK_NAME}"), the image names have changed from
core-image-minimal-qemux86-64-20230307181808.rootfs.ext4
core-image-minimal-qemux86-64.ext4
to
core-image-minimal-qemux86-64.rootfs-20230307181456.ext4
core-image-minimal-qemux86-64.rootfs.ext4
Adjust the images name used by dm-verity according to this change.
Signed-off-by: Kevin Hao <kexin.hao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
| |
Signed-off-by: Kevin Hao <kexin.hao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
V2] Fix typo in python3-pyinotify changes
|
| |
|
|
|
|
|
|
| |
Lynis tool needs ip, ss, tr and netstat.
If they are missing Lynis skips some important audit tests.
Signed-off-by: BELOUARGA Mohamed <m.belouarga@technologyandstrategy.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
Checksec tool depends of commands "find, file and ps"
Signed-off-by: BELOUARGA Mohamed <m.belouarga@technologyandstrategy.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Backport a patch to fix build with python 3.12:
$ bitbake openscap-native
Traceback (most recent call last):
File "<string>", line 1, in <module>
ModuleNotFoundError: No module named 'distutils'
CMake Error at swig/python3/CMakeLists.txt:35 (install):
install TARGETS given no LIBRARY DESTINATION for module target
"_openscap_py".
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Append to IMAGE_INSTALL rather than directly setting the variable
and does it after inheriting core-image.bbclass because in it
IMAGE_INSTALL is set with a default value CORE_IMAGE_BASE_INSTALL.
Variable CORE_IMAGE_BASE_INSTALL includes CORE_IMAGE_EXTRA_INSTALL
so the change allows adding auditd to CORE_IMAGE_EXTRA_INSTALL as
per the instructions in meta-integrity/README.md.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add audit.cfg configuration fragment. By default it is not appended
to SRC_URI. It allows enabling the audit kernel subsystem which may
help to debug appraisal issues. Boot with "integrity_audit=1" to
capture a more complete set of events in /var/log/audit/.
Previously the same configuration fragment was provided by layer
meta-security-framework but it is no longer maintained therefore it
makes sense to have audit.cfg in layer meta-integrity.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
change branch name to stable.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
It's not mentioned anywhere in source code, and python 3.12
has removed it.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Nicholas Nooney (1):
Update error messages in htool_exec_hostcmd (#43)
Royce (1):
Add ability to process raw host commands (#41)
Yoan Andreev (1):
Payload getstatus (#40)
daimeng (1):
htool: Allow console snapshot on proxy channels (#42)
Signed-off-by: Yushi Sun <yushis@google.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
New openssl 3.2.0 version removed spaces around serialNumber in:
Subject: CN=parallaxsecond.com, serialNumber=EZ4U2CIXL
Fixes parsec-service oeqa test on qemu.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If image recipe A wants to embed another image B which used
dm-verity-img.bbclass and generated the .wks file, then
recipe B must deploy everything to IMGDEPLOYDIR but recipe A
finds the output from DM_VERITY_DEPLOY_DIR = "${DEPLOY_DIR_IMAGE}".
Now both A and B images can use dm-verity-img.bbclass.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Reviewed-by: Erik Schilling <erik.schilling@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
It is embedded into IMAGE_NAME since poky master branch commit
6f6c79029bc2020907295858449c725952d560a1
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Erik Schilling <erik.schilling@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
Build host may not have bc.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Erik Schilling <erik.schilling@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
systemd tool ukify
https://www.freedesktop.org/software/systemd/man/latest/ukify.html
depends on systemd-measure
https://www.freedesktop.org/software/systemd/man/latest/systemd-measure.html
which depends on tpm2-tss. So to support creating UKI
images containing both kernel and initramfs with systemd-native,
tpm2-tss support is needed for native too.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Reviewed-by: Erik Schilling <erik.schilling@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
drop EXTRA_OECONF
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
Dawid Dabrowski
Add support for payload update protocol for generic Titan images.
Nick Nooney
Add BUILD rules to support using libhoth with external tools.
Yoan Andreev
Add spi passthrough enable and disable commands.
Add arm_coordinated_reset.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
| |
LICENSE changed
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add two variables IMA_FILE_SIGNATURES_FILE and EVM_FILE_SIGNATURES_FILE
for filenames where the ima_evm_sign_rootfs script can write the names
of files and their IMA or EVM signatures into. Both variables are
optional. The content of the file with IMA signatures may look like
this:
/usr/bin/gpiodetect ima:0x0302046730eefd...
/usr/bin/pwscore ima:0x0302046730eefd004...
Having the filenames along with their signatures is useful for signing
files in the initrd when the initrd is running out of a tmpfs filesystem
that has support for xattrs. This allows to enable an IMA appraisal
policy already in the initrd where files must be signed as soon as the
policy becomes active.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Fixes:
WARNING: samhain-server-4.4.10-r0 do_package_qa: QA Issue: File /var/lib/samhain/samhain-install.sh in package samhain-server contains reference to TMPDIR [buildpaths]
WARNING: samhain-server-4.4.10-r0 do_package_qa: QA Issue: File /usr/share/doc/samhain-server/scripts/samhain.ebuild-light in package samhain-server-doc contains reference to TMPDIR
File /usr/share/doc/samhain-server/scripts/samhain.ebuild in package samhain-server-doc contains reference to TMPDIR [buildpaths]
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
Parsec-service and parsec-tool recipes have been updated to use
1.3.0 and 0.7.0 versions respectively.
Signed-off-by: Gowtham Suresh Kumar <gowtham.sureshkumar@arm.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
On a systemd-based system, one is likely to make use of
'backend=systemd', which requires the systemd module.
Both the pyinotify and systemd backends require the distutils module.
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, one gets
Unable to import fail2ban database module as sqlite is not available
So we need to ensure the sqlite3 python module is available. That will
automatically pull in libsqlite3.
Since fail2ban does not actually depend on the the CLI which the
sqlite3 package provides, drop that dependency.
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
fail2ban ships with a suitable .service file, so install that if
systemd is in DISTRO_FEATURES. The logic in rm_sysvinit_initddir in
systemd.bbclass will then take care of removing the sysvinit script if
sysvinit is not in DISTRO_FEATURES.
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
The Poky patch has been accepted.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
Royce Rajan
0e3eec6 Claim + Release USB connection when running `htool console`
b36ebfc bazel: Stamp Git commit as version
fd90feb meson: Stamp Git commit as version
ba1403d Add get/clear panic record commands (#30)
Chris Evans
e34e9bd Update README.md for recently-added commands.
Daimeng Wang
611381e htool: Implement authz_record read/erase/build/set
aaed60f htool: Add authz_record command API
ad68019 libhoth: MTD allows zero byte read
Pai Peng
101f711 Add the 'statistics' command
Signed-off-by: John Broadbent <jebr@google.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
LIC_FILES_CHKSUM changed due to year update
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
fixes musl build regarding time structs.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
refersh patches
update libhtp
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
If you want to try to generate the lock file without accessing the network, remove the --frozen flag and use --offline instead.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
* oe-core switched to nanbield in:
https://git.openembedded.org/openembedded-core/commit/?id=f212cb12a0db9c9de5afd3cc89b1331d386e55f6
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
After usrmerge had been enabled, paxctl has the fowllowing error:
ERROR: ccs-tools-1.8.9-r0 do_package: QA Issue: ccs-tools: Files/directories were installed but not shipped in any package:
/sbin/ccs-init
Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
After usrmerge had been enabled, paxctl has the fowllowing error:
ERROR: paxctl-0.9-r0 do_package: QA Issue: paxctl: Files/directories were installed but not shipped in any package:
/sbin/paxctl
Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
Update to tip of branch
Drop 0001-scap-security-guide-add-openembedded-distro-support.patch is now included in tip
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a build error when using openscap-native sstate cache mirror.
Steps to reproduce:
Create a new build project in build-1 directory.
$ bitbake openscap-native
Then remove all directories in build-1 directory except sstate-cache.
Use the sstate-cache directory as sstate mirror.
Create another new build project in build-2 directory.
Set SSATE_MIRRORS to point to the sstate-cache in build-1 directory.
$ bitbake scap-security-guide
Error message:
OpenSCAP Error: Schema file 'sds/1.3/scap-source-data-stream_1.3.xsd' not found in path
'/build-1/tmp-glibc/work-shared/openscap/oscap-build-artifacts/usr/share/openscap/schemas' when trying to validate
'/build-2/tmp-glibc/work/corei7-64-wrs-linux/scap-security-guide/0.1.67/build/ssg-openembedded-ds.xml'
[/build-1/tmp-glibc/work/x86_64-linux/openscap-native/1.3.8/git/src/source/validate.c:103]
The oscap command from openscap-native tries to find the schema files in
build-1 directory since these paths are hardcoded when building
openscap-native.
We need to pass the correct cpe/schemas/xsl paths to oscap to make sure
it can find the files in right location.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
| |
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
| |
So that the security features in this layer can be used on the
rt kernel.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
|
|
| |
So that the security features in this layer can be used on the
rt kernel.
Signed-off-by: Kevin Hao <kexin.hao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
| |
|
|
|
|
| |
Changelog: https://bitbucket.org/sshguard/sshguard/src/master/CHANGELOG.rst
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
